Mobile application control

ABSTRACT

A device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network. An indication of the limits on what a corporate network may access on a user personal device may provided to a user and either accepted or rejected. The user, if the user agreement is accepted, may receive a list of allowed applications and modify the list by removing applications on the list which the user does not want to send data to the corporate network. Both the user and a corporate network administrator may view the user accepted limits and track what user device applications actually have accessed the corporate network to confirm compliance with the limits.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the priority benefit of U.S. ProvisionalApplication Ser. No. 61/973,248, titled “Mobile Connect,” filed Mar. 31,2014, the disclosure of which is incorporated herein by reference.

BACKGROUND OF THE INVENTION

Consumers continue to push for a mechanism that allows them to use theirown device to perform typical work tasks. In most cases, these devicesare owned by the individual user, which means the company may have zerocontrol over them. Because companies have little if any control overthese user devices, there is concern regarding providing the deviceaccess to corporate remote networks due to the potential for attacksvectors (nefarious applications, leaking, tampering, or otherwisedisclosing of critical intellectual property owned by company). Themarket has coined the term “unmanaged device” or “BYOD” (bring your owndevice) to represent any device that is not owned or controlled by thecompany that needs access to the corporate network so the employee cando their work. In most cases, this device is owned by the employeerequesting access. Some companies require employee devices to be putunder mobile device management (MDM) control before allowed onto thecorporate network, but such a configuration is not really zero control.

Most mobile solutions are all or nothing—all data is shared or no datais shared with respect to a corporate intranet (i.e., an appliance basednetwork). With the advent of BYOD, users need to access the corporateintranet but do not want their personal information to be available tothe corporate intranet. Likewise, the corporate intranet may not want torisk exposure to certain content on the user device that is not germane(or appropriate) for the corporate network.

Secure communication with a corporate network can be achieved throughvirtual private network (VPN) connections. Current VPN clients thatprovide application level control block traffic in that VPN applicationrunning on the client device. For example, some companies provide aper-app VPN solution. Despite current VPN per application solutions,there are still concerns regarding the vulnerability of corporatenetwork access from personal user devices.

There is a need in the art for managing access to corporate networks byuser's personal devices at the application level that protects corporateinterests while protecting personal data of users.

SUMMARY OF THE CLAIMED INVENTION

An appliance works in conjunction with an agent on a remote device tocontrol application access to a corporate network. In conjunction withan SSL tunnel and policy operating at the appliance, granularapplication control may be implemented. In particular, a device user maydetermine what applications from a set of applications may access thecorporate network and which applications do not access the network. Auser agreement indicating of the limits on what a corporate network mayaccess on a user personal device may be provided to a user and eitheraccepted or rejected. The user, if the user agreement is accepted, mayreceive a list of allowed applications and modify the list by removingapplications on the list which the user does not want to send data tothe corporate network. Both the user and a corporate networkadministrator may view the user accepted limits and track what userdevice applications actually have accessed the corporate network toconfirm compliance with the limits.

An embodiment may include a method for establishing a connection. Themethod may include establishing a connection between a user clientdevice and a server. The user client device may have a plurality ofapplications and be associated with a user. A user agreement regardingwhat a corporate network will access on the user client device may bepresented to the user through the user client device and from theserver. A confirmation may be received of the user agreement from theuser by the client device. The client may be provided with access to thecorporate network by the server.

In an embodiment, a system for establishing a connection may include adevice having a processor, memory, and an agent stored in memory andexecutable by the processor to establish a connection between a userclient device and a server, the user client device having a plurality ofapplications and associated with a user, present to the user through theuser client device a user agreement on what a corporate network willaccess on the user client device, receive a confirmation of the useragreement from the user by the client device, and provide the clientaccess to the corporate network.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a block diagram of a client communicating with aremote server.

FIG. 2 illustrates a block diagram of a client having an agent.

FIG. 3 illustrates a method for providing application access to anetwork.

FIG. 4 illustrates a method for verifying user acceptance of a useragreement.

FIG. 5 is a block diagram of an exemplary system for implementing acomputing device.

DETAILED DESCRIPTION

An intranet appliance works in conjunction with an agent on a remotedevice to control application access to a corporate network. Inconjunction with an SSL tunnel and policy operating at the appliance,granular application control may be implemented. In particular, a deviceuser may determine what applications from a set of applications mayaccess the corporate network and which applications do not access thenetwork.

A device user may determine what applications from a set of applicationsmay access the corporate network and which applications do not accessthe network. A user agreement indicating what a corporate network mayaccess on a user personal device may provided to a user and eitheraccepted or rejected. The user, if the user agreement is accepted, mayreceive a list of allowed applications and modify the list by removingapplications on the list which the user does not want to send data tothe corporate network. Both the user and a corporate networkadministrator may view the user accepted limits and track what userdevice applications actually have accessed the corporate network toconfirm compliance with the limits.

FIG. 1 illustrates a block diagram of a client communicating with aremote server. The system of FIG. 1 includes client device 110, network120, VPN appliance 130, and corporate network 140. VPN appliance 130 mayinclude tunnel server 136, policy server 134, and data store 138.Corporate network 140 may include one or more servers such as corporateserver 142.

Client 110 may include a user device that is not controlled by theentity that provides 1 1 corporate network 140. Client 110 may beimplemented as a mobile device such as a smart phone, tablet or laptopcomputer, a desk top computer, or other computing device.

Network 120 may include one or more networks used to communicate databetween client device 120 and, ultimately, corporate server 142. Forexample, network 120 may include a private network, public network, theInternet, an intranet, a local area network, a wide area network, awireless network, a cellular network, and a combination of thesenetworks.

Tunnel server 130 on VPN appliance 125 may establish a VPN tunnel andcommunicate with client device 110 and serve as an intermediary betweenclient device 110 and corporate server 142. This VPN may be used toallow applications on the client device 110 to communicate with acorporate server 142 in a secure fashion even though traffic is flowingover a public network 120.

1The policy server may include one or more applications that performfunctionality discussed herein, such as for example generating andapplying policy rules. Datastore 138 may store and process data, and isaccessible by servers 132, 134 and 136. For example, datastore 138 maystore communication log data, application lists, applicationinformation, and other data. The client device 110 may communicate withtunnel server 136 to authorize access to corporate server 142. Theclient may also communicate through an API Server 132 which is a peer tothe tunnel server and is used to authenticate the user, retrieve thelist of applications, authenticate a device, and other functionality.Both API Server 132 and Tunnel Server 136 may communicate with policyserver 134 to obtain policy decisions to help provide responses toclient requests

Corporate server 142 of corporate network 140 may be accessed by theuser device 110 through tunnel server 136 of VPN appliance 130. In thiscase, tunnel server 136 may receive and analyze all network traffic toconfirm the traffic is from an authorized application before the trafficmay access the corporate server. Access to corporate server 142 andother resources on corporate network 140 is determined by both policyserver 134 and tunnel server 136. Tunnel Server 136 provides policyenforcement and traffic analysis while policy server 134 is the policydecision point, and the two servers work in concert to both analyzetraffic and apply policy.

FIG. 2 illustrates a block diagram of a client having an agent. Agent240 may communicate with tunnel sever 230 and API Server 280 toimplement client side functionality of the present technology. Forexample, agent 240 may provide an interface to a user for selecting oneor more of a set of applications allowed to access the corporate network140, collect data at the device and provide the data to tunnel server136 or API server 132, and other functionality.

Agent 240 may communicate with applications 210-230 on device 110 andmay generate and manage application objects 250-260. An application maycorrespond to each application object. An application object may includethe application name, version, and other data for a correspondingapplication. Agent 240 may transmit application information within eachapplication object to tunnel server 136 or API server 132 to allowpolicy server 134 to make access control decisions.

FIG. 3 illustrates a method for providing application access to anetwork. A VPN connection is established between the tunnel server andan agent 240 on the client at step 310. The agent may initiate the VPNestablishment by sending a VPN request to the VPN appliance.

A user is authenticated at step 310. User authentication is performed toidentify the user of the device. A user device is then classified todetermine if it meets acceptable parameters at step 315. In someinstances, an administrator defines a set of device attributes, and thesystem may attempt to find a set of attributes that match the device.Classification of the device may include retrieval of a unique equipmentidentifier along with other device attribute data. The unique equipmentidentifier and device attribute data may be collected by an agent andtransmitted to policy server 134. The attribute data may be used by thepolicy server to determine if client device 110 may allow forapplication control by the policy server via the agent.

Once the user is authenticated and the device is classified, the datastore is queried to determine if a matching entry for the user anddevice exist. If the user and device combination are found in the datastore, then the user and device have established a connection with thecorporate network before and the version of the user agreementpreviously agreed to by the user is checked against the most recentversion at step 317. If the user has already accepted the current useragreement at step 317, and therefore the most recent user agreement hasnot changed from the stored user agreement for the user and devicecombination, then the method continues to step 325 and the presentsystem does not provide the user with the same user agreement and aportion of or all of step 320 (and corresponding method of FIG. 4) willnot per performed for the current session.

If the device requires a new user agreement to be accepted, eitherbecause the user and device combination is not found in the data storeor the current version of the user agreement does not match the storedversion of the user agreement, the method continues from step 317 tostep 320.

User acceptance of a user agreement is verified at step 320. Once a useraccepts a user agreement, the user may be authorized for the corporatenetwork access. In some embodiments, a policy server determinesauthorization of the user, device, and checks access permissions. Thepolicy allows for application access to particular data for a particulardevice type and user type. Once the user has accepted the useragreement, the user may be authorized to access a corporate network.More detail for user acceptance of the user agreement is provided withrespect to FIG. 4.

Application traffic may be transmitted to the corporate network at step325. An agent on the client device may monitor communication data andprovide information to the user of the device regarding whatapplications are communicating with the corporate network.

An audit may be performed on the application data sent to the corporatenetwork at step 330. The server will collect data as packets aretransmitted to the corporate network regarding which user and device aresending traffic. The data may include an application identifier andversion specific hash, which is collected for any application that sendsdata to the corporate network. The server may receive the data and storethe data for each session between the user and device combination andthe corporate network.

The administrator may access the stored session data on the VPNappliance and identify which applications on the particular user deviceand for a particular user have sent data to the corporate network. Theuser may access data stored by the agent on the client device toidentify which applications have sent data to which destination on thecorporate network. The user and administrator may also access the limitsagreed to by the user regarding application data to be sent to thecorporate network. From this information, the user or administrator mayeach determine whether the application data transmitted complied withthe limits agreed to by the user, thereby auditing the application dataaccess by the corporate network.

FIG. 4 illustrates a method for verifying user acceptance of a useragreement. The method of FIG. 4 provides more detail for step 325 of themethod of FIG. 3. A user is provided with a user agreement regardingcorporate network access to application data from applications on theuser's device at step 405. The user agreement is a mutual contractbetween the corporate network operator and the end user where the enduser can choose to accept it to be granted access to the corporatenetwork or decline and end their session. The language contained withinthe user agreement may be drafted by the corporate network legalcounsel.

The user agreement may specify policies and rules regarding how thenetwork access may access data, when it may access data, and generallyinform the user of application data access over the corporate network.In some instances, the user agreement may be a contract offer to theuser. The indication received by the user device from a server andprovided to the user through an interface of the user device. Adetermination is then made as to whether the user accepts the useragreement at step 410. If the user does not accept the limits indicated,access to a corporate access is denied to the user and user devicecombination at step 415. If the user has not accepted the useragreement, upon a subsequent login attempt, the user may again beprompted to comply with the user agreement. If the user does accept thelimits, the user's acceptance of the limits and the indication of thelimits are stored at step 420. If the user accepts the user agreement acopy of the user agreement is stored on the client device. A record forthe user, device and user agreement version number may also be createdor updated at the VPN appliance to reflect the user's acceptance. Theuser's acceptance will not be required from the user again for the sameuser agreement for the particular user and user device combination.

The agent on the client device is provided with a list of applicationsfrom the VPN appliance, wherein the listed applications are allowed toaccess the corporate network at step 425. The list of applications isdetermined by the access policy configured by an administrator whichcontains detailed information on which users, devices, applications, anddestinations should be granted access. If the received application listis the same list as that received during the previous session, the agentdoes nothing (e.g., will not present the newly received list to theuser) and the method of FIG. 4 continues to step 440 (i.e., no input isreceived from the user as no applications from the newly received listare provided to the user).

If the list is different from the previous session for the user anddevice, or the list is provided during the first session for the userand device combination, the agent on the client device presents the listof applications to the user via an interface of the device. The user maychoose to block applications on this list from accessing the corporatenetwork and have network traffic data flow over the VPN. For eachapplication, the application type may be specified along with particularversions or configurations of the application that may be allowed toaccess the corporate network. A determination is then made as to whetherinput is received from the user to remove applications from the list atstep 430. If such input is received, the user selected applications areremoved from the list at step 435 and the method continues to step 440.In some instances, if the user removes all the applications from thelist, the session may be terminated. Otherwise, network access may beprovided to application data from applications on the list at step 440.At any time during the session, the user may change the applications onthe current list which are authorized to send data to the corporateserver.

If the user removes an application from the list by deselecting it, theclient device will not send traffic from that application to thecorporate network. A network administrator may not be notified that theuser chose to limit the application set to less than what was authorizedby the network administrator. Hence, what the user decides to allow ornot allow with the company to use on their device is not shared with thenetwork administrator. For example, if the user would like to user aparticular network browser to access monster.com to look for a new job,the user likely will not want to have to explain to her supervisor whythey disabled it.

At any time during the current session, a network administrator mayaccess the version number of the user agreement accepted by the user, asthis information is stored in the data store 138. The user may alsoaccess a copy of the user agreement that they have previously agreed to,and may access a copy which has been stored on their device. The usermay access a copy at any time via a menu setting on a UI provided by theVPN agent 240.

FIG. 5 is a block diagram of an exemplary system for implementing acomputing device. System 500 of FIG. 5 may be implemented in thecontexts of the likes of client device 110 VPN appliance 130 andcorporate server 140. The computing system 500 of FIG. 5 includes one ormore processors 510 and memory 520. Main memory 510 stores, in part,instructions and data for execution by processor 510. Main memory 520can store the executable code when in operation. The system 500 of FIG.5 further includes a mass storage device 530, portable storage mediumdrive(s) 540, output devices 550, user input devices 560, a graphicsdisplay 570, and peripheral devices 580.

The components shown in FIG. 5 are depicted as being connected via asingle bus 590. However, the components may be connected through one ormore data transport means. For example, processor unit 510 and mainmemory 520 may be connected via a local microprocessor bus, and the massstorage device 530, peripheral device(s) 580, portable storage device540, and display system 570 may be connected via one or moreinput/output (I/O) buses.

Mass storage device 530, which may be implemented with a magnetic diskdrive or an optical disk drive, is a non-volatile storage device forstoring data and instructions for use by processor unit 510. Massstorage device 530 can store the system software for implementingembodiments of the present invention for purposes of loading thatsoftware into main memory 520.

Portable storage device 540 operates in conjunction with a portablenon-volatile storage medium, such as a floppy disk, compact disk orDigital video disc, to input and output data and code to and from thecomputer system 500 of FIG. 5. The system software for implementingembodiments of the present invention may be stored on such a portablemedium and input to the computer system 500 via the portable storagedevice 540.

Input devices 560 provide a portion of a user interface. Input devices560 may include an alpha-numeric keypad, such as a keyboard, forinputting alpha-numeric and other information, or a pointing device,such as a mouse, a trackball, stylus, or cursor direction keys.Additionally, the system 500 as shown in FIG. 5 includes output devices550. Examples of suitable output devices include speakers, printers,network interfaces, and monitors.

Display system 570 may include a liquid crystal display (LCD) or othersuitable display device. Display system 570 receives textual andgraphical information, and processes the information for output to thedisplay device.

Peripherals 580 may include any type of computer support device to addadditional functionality to the computer system. For example, peripheraldevice(s) 580 may include a modem or a router.

The components contained in the computer system 500 of FIG. 5 are thosetypically found in computer systems that may be suitable for use withembodiments of the present invention and are intended to represent abroad category of such computer components that are well known in theart. Thus, the computer system 500 of FIG. 5 can be a personal computer,hand held computing device, telephone, mobile computing device,workstation, server, minicomputer, mainframe computer, or any othercomputing device. The computer can also include different busconfigurations, networked platforms, multi-processor platforms, etc.Various operating systems can be used including Unix, Linux, Windows,Macintosh OS, Palm OS, and other suitable operating systems.

The foregoing detailed description of the technology herein has beenpresented for purposes of illustration and description. It is notintended to be exhaustive or to limit the technology to the precise formdisclosed. Many modifications and variations are possible in light ofthe above teaching. The described embodiments were chosen in order tobest explain the principles of the technology and its practicalapplication to thereby enable others skilled in the art to best utilizethe technology in various embodiments and with various modifications asare suited to the particular use contemplated. It is intended that thescope of the technology be defined by the claims appended hereto.[0036-0044 look like boilerplate to me, did not bother checking themclosely.]

What is claimed is:
 1. A method for establishing a connection,comprising: establishing a connection between a user client device and aserver, the user client device having a plurality of applications andassociated with a user; presenting to the user through the user clientdevice and from the server user agreement on what a corporate networkwill access on the user client device; receiving a confirmation of theuser agreement from the user by the client device; and providing theclient access to the corporate network by the server.
 2. The method ofclaim 1, further comprising generating the user agreement for the userand user client device combination.
 3. The method of claim 1, furthercomprising storing the user acceptance of the user agreement for theuser and user client device combination.
 4. The method of claim 1,further comprising providing the user agreement to the user subsequentto the providing the client access to the corporate network.
 5. Themethod of claim 1, further comprising: receiving login information fromthe user by the server via the user client device; determining if thelimits on what a corporate network will access on the user client devicehas changed; providing an updated version of the limits on what acorporate network will access on the user client device; and providingthe client access to the corporate network by the server once the userhas accepted the updated version of the limits on what a corporatenetwork will access on the user client device.
 6. The method of claim 1,further comprising: providing the user with information regarding whatapplications have sent data to the corporate network; and providing anindication of compliance to the user regarding whether the data sent bythe applications complies with the user agreement on what a corporatenetwork will access on the user client device.
 7. The method of claim 1,further comprising: providing an administrator of the corporate networkwith information regarding what applications have sent data to thecorporate network; and providing an indication of compliance to theadministrator regarding whether the data sent by the applicationscomplies with the user agreement on what a corporate network will accesson the user client device.
 8. The method of claim 1, further comprisingproviding a list of applications allowed to access the corporate networkto the user, the list provided from the server to the user through theuser client device.
 9. The method of claim 8, further comprisingreceiving input from the user to select a subset of the list ofapplications to access the corporate network, wherein the one or moreapplications not selected by the user are blocked access to thecorporate network.
 10. The method of claim 8, wherein the list isprovided to the user at the start of the connection between the userclient device and the server.
 11. The method of claim 10, furthercomprising: detecting during the connection a change to the list ofapplications allowed to access the corporate network; and providing theuser with an updated list of applications allowed to access thecorporate network.
 12. A non-transitory computer readable storage mediumhaving embodied thereon a program, the program being executable by aprocessor to perform a method for establishing a connection, the methodcomprising: establishing a connection between a user client device and aserver, the user client device having a plurality of applications andassociated with a user; presenting to the user through the user clientdevice user agreement on what a corporate network will access on theuser client device; receiving a confirmation of the user agreement fromthe user by the client device; and providing the client access to thecorporate network.
 13. The non-transitory computer readable storagemedium of claim 12, further comprising generating the user agreement forthe user and user client device combination.
 14. The non-transitorycomputer readable storage medium of claim 12, further comprising storingthe user acceptance of the user agreement for the user and user clientdevice combination.
 15. The non-transitory computer readable storagemedium of claim 12, further comprising providing the user agreement tothe user subsequent to the providing the client access to the corporatenetwork.
 16. The non-transitory computer readable storage medium ofclaim 12, further comprising: receiving login information from the userby the server via the user client device; determining if the limits onwhat a corporate network will access on the user client device haschanged; providing an updated version of the limits on what a corporatenetwork will access on the user client device; and providing the clientaccess to the corporate network by the server once the user has acceptedthe updated version of the limits on what a corporate network willaccess on the user client device.
 17. The non-transitory computerreadable storage medium of claim 12, further comprising: providing theuser with information regarding what applications have sent data to thecorporate network; and providing an indication of compliance to the userregarding whether the data sent by the applications complies with theuser agreement on what a corporate network will access on the userclient device.
 18. The non-transitory computer readable storage mediumof claim 12, further comprising: providing an administrator of thecorporate network with information regarding what applications have sentdata to the corporate network; and providing an indication of complianceto the administrator regarding whether the data sent by the applicationscomplies with the user agreement on what a corporate network will accesson the user client device.
 19. The non-transitory computer readablestorage medium of claim 12, further comprising providing a list ofapplications allowed to access the corporate network to the user, thelist provided from the server to the user through the user clientdevice.
 20. The non-transitory computer readable storage medium of claim19, further comprising receiving input from the user to select a subsetof the list of applications to access the corporate network, wherein theone or more applications not selected by the user are blocked access tothe corporate network.
 21. The non-transitory computer readable storagemedium of claim 19, wherein the list is provided to the user at thestart of the connection between the user client device and the server.22. The non-transitory computer readable storage medium of claim 21,further comprising: detecting during the connection a change to the listof applications allowed to access the corporate network; and providingthe user with an updated list of applications allowed to access thecorporate network.
 23. A device for establishing a connection with aremote server, the device including: a processor; memory; an agentstored in memory and executed by the processor to establish a connectionbetween a user client device and a server, the user client device havinga plurality of applications and associated with a user, present to theuser through the user client device a user agreement on what a corporatenetwork will access on the user client device, receive a confirmation ofthe user agreement from the user by the client device, and provide theclient access to the corporate network.
 24. The device of claim 23,further comprising generating the user agreement for the user and userclient device combination.
 25. The device of claim 23, furthercomprising storing the user acceptance of the user agreement for theuser and user client device combination by the server.
 26. The device ofclaim 23, further comprising providing the user agreement to the usersubsequent to the providing the client access to the corporate networkby the server.
 27. The device of claim 23, further comprising: receivinglogin information from the user by the server via the user clientdevice; determining if the limits on what a corporate network willaccess on the user client device has changed; providing an updatedversion of the limits on what a corporate network will access on theuser client device; and providing the client access to the corporatenetwork by the server once the user has accepted the updated version ofthe limits on what a corporate network will access on the user clientdevice.
 28. The device of claim 23, further comprising: providing theuser with information regarding what applications have sent data to thecorporate network; and providing an indication of compliance to the userregarding whether the data sent by the applications complies with theuser agreement on what a corporate network will access on the userclient device.
 29. The device of claim 23, further comprising: providingan administrator of the corporate network with information regardingwhat applications have sent data to the corporate network; and providingan indication of compliance to the administrator regarding whether thedata sent by the applications complies with the user agreement on what acorporate network will access on the user client device.
 30. The deviceof claim 23, further comprising providing a list of applications allowedto access the corporate network to the user, the list provided from theserver to the user through the user client device.
 31. The device ofclaim 30, further comprising receiving input from the user to select asubset of the list of applications to access the corporate network,wherein the one or more applications not selected by the user areblocked access to the corporate network.
 32. The device of claim 30,wherein the list is provided to the user at the start of the connectionbetween the user client device and the server.
 33. The device of claim32, further comprising: detecting during the connection a change to thelist of applications allowed to access the corporate network; andproviding the user with an updated list of applications allowed toaccess the corporate network.